On Tuesday 01 April 2003 05:17 am, Martin Josefsson wrote: > On Tue, 2003-04-01 at 10:41, Joel Newkirk wrote: > > Personally I have four: > > > > 1 - revamped LOG entry format, especially cleaning up MAC. > > see the next remark. > > > 2 - completely separate netfilter logging from kernel log streams. > > (not just redirecting infrequently-used kernel streams, but actual > > dedicated netfilter streams) > > use ULOG > you can easily modify the format it uses for the logfile. > that part of the source isn't complicated at all. Thanks. Digging further into ULOG is something that's been on my to-do list for a while now. I'm interested in setting up remote logging such as is possible with syslog. If necessity doesn't drive me to it sooner, I'll probably attack this in a few months. > > 3 - Ability to match "original DestinationIP" of a DNATted packet in > > subsequent chains. Useful with a single physical interface but > > multiple IPs bound to it. > > Already there, look at the conntrack match (ipt_conntrack) Wow. Never found this before, but I see it in the source for the CVS version I just downloaded, and after looking again I found it in the Netfilter Extensions HowTo. Thanks! > iptables -A FORWARD -m conntrack --ctorigdst 1.1.1.1 -j ACCEPT j
